Package org.opends.server.core
Class BindOperation
- java.lang.Object
-
- org.opends.server.types.Operation
-
- org.opends.server.core.BindOperation
-
- All Implemented Interfaces:
Runnable,PluginOperation,PostOperationBindOperation,PostOperationOperation,PostResponseBindOperation,PostResponseOperation,PreOperationBindOperation,PreOperationOperation,PreParseBindOperation,PreParseOperation
public final class BindOperation extends Operation implements PreOperationBindOperation, PreParseBindOperation, PostOperationBindOperation, PostResponseBindOperation
This class defines an operation that may be used to authenticate a user to the Directory Server. Note that for security restrictions, response messages that may be returned to the client must be carefully cleaned to ensure that they do not provide a malicious client with information that may be useful in an attack. This does impact the debuggability of the server, but that can be addressed by calling thesetAuthFailureReason(LocalizableMessage)method, which can provide a reason for a failure in a form that will not be returned to the client but may be written to a log file.
-
-
Field Summary
-
Fields inherited from class org.opends.server.types.Operation
requestContext
-
-
Constructor Summary
Constructors Constructor Description BindOperation(org.forgerock.services.context.Context context, BindRequest request)Creates a new bind operation with the provided information.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description voidaddResponseControl(Control control)Adds the provided control to the set of controls to include in the response to the client.AuthenticationTypegetAuthenticationType()Retrieves the authentication type for this bind operation.LocalizableMessagegetAuthFailureReason()Retrieves a human-readable message providing the reason that the authentication failed, if available.DngetBindDN()Retrieves the bind DN for this bind operation.OperationTypegetOperationType()Retrieves the operation type for this operation.DngetProxiedAuthorizationDN()Retrieves the proxied authorization DN for this operation if proxied authorization has been requested.List<Control>getResponseControls()Retrieves the set of controls to include in the response to the client.EntrygetSASLAuthUserEntry()Retrieves the user entry associated with the SASL authentication attempt.ByteStringgetSASLCredentials()Retrieves the SASL credentials for this bind operation.StringgetSASLMechanism()Retrieves the SASL mechanism for this bind operation.SaslServergetSaslServer()Returns theSaslServerto use by the underlying connection, ornullif SASL integrity and/or privacy protection must not be enabled.ByteStringgetServerSASLCredentials()Retrieves the set of server SASL credentials to include in the bind response.ByteStringgetSimplePassword()Retrieves the simple authentication password for this bind operation.DngetUserEntryDN()Retrieves the user entry DN for this bind operation.voidremoveResponseControl(Control control)Removes the provided control from the set of controls to include in the response to the client.voidrun()Performs the work of actually processing this operation.static voidrunFakePasswordMatches(Dn bindDn, ByteString password)When using cost based hashes, ensure similar response times when login with non-existing vs.voidsetAuthenticationInfo(AuthenticationInfo authInfo)Specifies the authentication info that resulted from processing this bind operation.voidsetAuthFailureReason(LocalizableMessage reason)Specifies the reason that the authentication failed.voidsetBindDN(Dn bindDN)Specifies the bind DN for this bind operation.voidsetProxiedAuthorizationDN(Dn proxiedAuthorizationDN)Set the proxied authorization DN for this operation if proxied authorization has been requested.voidsetSASLAuthUserEntry(Entry saslAuthUserEntry)Specifies the user entry associated with the SASL authentication attempt.voidsetSASLCredentials(String saslMechanism, ByteString saslCredentials)Specifies the SASL credentials for this bind operation.voidsetSaslServer(SaslServer saslServer)Sets the SASL server.voidsetServerSASLCredentials(ByteString serverSASLCredentials)Specifies the set of server SASL credentials to include in the bind response.voidsetSimplePassword(ByteString simplePassword)Specifies the simple authentication password for this bind operation.voidtoString(StringBuilder buffer)Appends a string representation of this operation to the provided buffer.-
Methods inherited from class org.opends.server.types.Operation
addAdditionalLogItem, addPasswordPolicyWarningToLog, addPostReadResponse, addPreReadResponse, addRequestControl, appendErrorMessage, appendMaskedErrorMessage, checkAttributeConformsToSyntax, checkIfBackendIsWritable, checkIfCanceled, createLdapException, disconnectClient, dontSynchronize, equals, evaluateProxyAuthControls, filterNonDisclosableMatchedDN, findMatchedDN, getAdditionalLogItems, getAttachment, getAttachments, getAuthorizationDN, getAuthorizationEntry, getClientConnection, getConnectionID, getContext, getErrorMessage, getLargestEntrySize, getLocalBackend, getMatchedDN, getMessageID, getOperationID, getReferralURLs, getRequestControl, getRequestControls, getResultCode, getServerContext, hashCode, hasPrivilege, hasRequestControl, invokePostResponseCallbacks, isHumanReadable, isInnerOperation, isInternalOperation, isProxyAuthzControl, isSynchronizationOperation, mustCheckSchema, operationCompleted, processOperationResult, processOperationResult, registerPostResponseCallback, removeAllDisallowedControls, removeAttachment, setAttachment, setAttachments, setAuthorizationEntry, setDontSynchronize, setErrorMessage, setInnerOperation, setInternalOperation, setMatchedDN, setReferralURLs, setResult, setResult, setResultCode, setResultCodeAndMessageNoInfoDisclosure, setSynchronizationOperation, toString, trySetLargestEntrySize
-
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
-
Methods inherited from interface org.opends.server.types.operation.PluginOperation
checkIfCanceled, disconnectClient, getAttachment, getAttachments, getClientConnection, getConnectionID, getMessageID, getOperationID, getRequestControl, getRequestControl, getRequestControls, isInternalOperation, isSynchronizationOperation, removeAttachment, setAttachment, toString
-
Methods inherited from interface org.opends.server.types.operation.PostOperationOperation
addAdditionalLogItem, appendErrorMessage, getAdditionalLogItems, getAuthorizationDN, getErrorMessage, getMatchedDN, getReferralURLs, getResultCode, setErrorMessage, setMatchedDN, setReferralURLs, setResult, setResultCode
-
Methods inherited from interface org.opends.server.types.operation.PreOperationOperation
addAdditionalLogItem, appendErrorMessage, getAdditionalLogItems, getAuthorizationDN, getErrorMessage, setErrorMessage
-
Methods inherited from interface org.opends.server.types.operation.PreParseOperation
addAdditionalLogItem, addRequestControl, appendErrorMessage, getAdditionalLogItems, getErrorMessage, setErrorMessage
-
-
-
-
Constructor Detail
-
BindOperation
public BindOperation(org.forgerock.services.context.Context context, BindRequest request)Creates a new bind operation with the provided information.- Parameters:
context- The context with which this operation is associated.request- The bind request.
-
-
Method Detail
-
getProxiedAuthorizationDN
public Dn getProxiedAuthorizationDN()
Description copied from class:OperationRetrieves the proxied authorization DN for this operation if proxied authorization has been requested.- Specified by:
getProxiedAuthorizationDNin classOperation- Returns:
- The proxied authorization DN for this operation if proxied authorization has been requested, or
nullif proxied authorization has not been requested.
-
setProxiedAuthorizationDN
public void setProxiedAuthorizationDN(Dn proxiedAuthorizationDN)
Description copied from class:OperationSet the proxied authorization DN for this operation if proxied authorization has been requested.- Specified by:
setProxiedAuthorizationDNin classOperation- Parameters:
proxiedAuthorizationDN- The proxied authorization DN for this operation if proxied authorization has been requested, ornullif proxied authorization has not been requested.
-
getAuthenticationType
public AuthenticationType getAuthenticationType()
Description copied from interface:PreOperationBindOperationRetrieves the authentication type for this bind operation.- Specified by:
getAuthenticationTypein interfacePostOperationBindOperation- Specified by:
getAuthenticationTypein interfacePostResponseBindOperation- Specified by:
getAuthenticationTypein interfacePreOperationBindOperation- Specified by:
getAuthenticationTypein interfacePreParseBindOperation- Returns:
- The authentication type for this bind operation.
-
setBindDN
public void setBindDN(Dn bindDN)
Description copied from interface:PreParseBindOperationSpecifies the bind DN for this bind operation.- Specified by:
setBindDNin interfacePreParseBindOperation- Parameters:
bindDN- The bind DN for this bind
-
getBindDN
public Dn getBindDN()
Description copied from interface:PreOperationBindOperationRetrieves the bind DN for this bind operation.- Specified by:
getBindDNin interfacePostOperationBindOperation- Specified by:
getBindDNin interfacePostResponseBindOperation- Specified by:
getBindDNin interfacePreOperationBindOperation- Specified by:
getBindDNin interfacePreParseBindOperation- Returns:
- The bind DN for this bind operation.
-
getSimplePassword
public ByteString getSimplePassword()
Description copied from interface:PreOperationBindOperationRetrieves the simple authentication password for this bind operation.- Specified by:
getSimplePasswordin interfacePostOperationBindOperation- Specified by:
getSimplePasswordin interfacePostResponseBindOperation- Specified by:
getSimplePasswordin interfacePreOperationBindOperation- Specified by:
getSimplePasswordin interfacePreParseBindOperation- Returns:
- The simple authentication password for this bind operation.
-
setSimplePassword
public void setSimplePassword(ByteString simplePassword)
Description copied from interface:PreParseBindOperationSpecifies the simple authentication password for this bind operation.- Specified by:
setSimplePasswordin interfacePreParseBindOperation- Parameters:
simplePassword- The simple authentication password for this bind operation.
-
getSASLMechanism
public String getSASLMechanism()
Description copied from interface:PreOperationBindOperationRetrieves the SASL mechanism for this bind operation.- Specified by:
getSASLMechanismin interfacePostOperationBindOperation- Specified by:
getSASLMechanismin interfacePostResponseBindOperation- Specified by:
getSASLMechanismin interfacePreOperationBindOperation- Specified by:
getSASLMechanismin interfacePreParseBindOperation- Returns:
- The SASL mechanism for this bind operation, or
nullif the bind does not use SASL authentication.
-
getSASLCredentials
public ByteString getSASLCredentials()
Description copied from interface:PreOperationBindOperationRetrieves the SASL credentials for this bind operation.- Specified by:
getSASLCredentialsin interfacePostOperationBindOperation- Specified by:
getSASLCredentialsin interfacePostResponseBindOperation- Specified by:
getSASLCredentialsin interfacePreOperationBindOperation- Specified by:
getSASLCredentialsin interfacePreParseBindOperation- Returns:
- The SASL credentials for this bind operation, or
nullif there are none or if the bind does not use SASL authentication.
-
setSASLCredentials
public void setSASLCredentials(String saslMechanism, ByteString saslCredentials)
Description copied from interface:PreParseBindOperationSpecifies the SASL credentials for this bind operation.- Specified by:
setSASLCredentialsin interfacePreParseBindOperation- Parameters:
saslMechanism- The SASL mechanism for this bind operation.saslCredentials- The SASL credentials for this bind operation, ornullif there are none.
-
getServerSASLCredentials
public ByteString getServerSASLCredentials()
Description copied from interface:PostOperationBindOperationRetrieves the set of server SASL credentials to include in the bind response.- Specified by:
getServerSASLCredentialsin interfacePostOperationBindOperation- Specified by:
getServerSASLCredentialsin interfacePostResponseBindOperation- Returns:
- The set of server SASL credentials to include in the bind response, or
nullif there are none.
-
setServerSASLCredentials
public void setServerSASLCredentials(ByteString serverSASLCredentials)
Description copied from interface:PreOperationBindOperationSpecifies the set of server SASL credentials to include in the bind response.- Specified by:
setServerSASLCredentialsin interfacePostOperationBindOperation- Specified by:
setServerSASLCredentialsin interfacePreOperationBindOperation- Specified by:
setServerSASLCredentialsin interfacePreParseBindOperation- Parameters:
serverSASLCredentials- The set of server SASL credentials to include in the bind response.
-
getSASLAuthUserEntry
public Entry getSASLAuthUserEntry()
Description copied from interface:PostOperationBindOperationRetrieves the user entry associated with the SASL authentication attempt. This should be set by any SASL mechanism in which the processing was able to get far enough to make this determination, regardless of whether the authentication was ultimately successful.- Specified by:
getSASLAuthUserEntryin interfacePostOperationBindOperation- Specified by:
getSASLAuthUserEntryin interfacePostResponseBindOperation- Returns:
- The user entry associated with the SASL authentication attempt, or
nullif it was not a SASL authentication or the SASL processing was not able to map the request to a user.
-
setSASLAuthUserEntry
public void setSASLAuthUserEntry(Entry saslAuthUserEntry)
Specifies the user entry associated with the SASL authentication attempt. This should be set by any SASL mechanism in which the processing was able to get far enough to make this determination, regardless of whether the authentication was ultimately successful.- Parameters:
saslAuthUserEntry- The user entry associated with the SASL authentication attempt.
-
getAuthFailureReason
public LocalizableMessage getAuthFailureReason()
Description copied from interface:PostOperationBindOperationRetrieves a human-readable message providing the reason that the authentication failed, if available.- Specified by:
getAuthFailureReasonin interfacePostOperationBindOperation- Specified by:
getAuthFailureReasonin interfacePostResponseBindOperation- Returns:
- A human-readable message providing the reason that the authentication failed, or
nullif none is available.
-
setAuthFailureReason
public void setAuthFailureReason(LocalizableMessage reason)
Description copied from interface:PreOperationBindOperationSpecifies the reason that the authentication failed.- Specified by:
setAuthFailureReasonin interfacePostOperationBindOperation- Specified by:
setAuthFailureReasonin interfacePreOperationBindOperation- Specified by:
setAuthFailureReasonin interfacePreParseBindOperation- Parameters:
reason- A human-readable message providing the reason that the authentication failed.
-
getUserEntryDN
public Dn getUserEntryDN()
Description copied from interface:PreOperationBindOperationRetrieves the user entry DN for this bind operation. It will only be available for simple bind operations (and may be different than the bind DN from the client request).- Specified by:
getUserEntryDNin interfacePostOperationBindOperation- Specified by:
getUserEntryDNin interfacePostResponseBindOperation- Specified by:
getUserEntryDNin interfacePreOperationBindOperation- Returns:
- The user entry DN for this bind operation, or
nullif the bind processing has not progressed far enough to identify the user or if the user DN could not be determined.
-
setAuthenticationInfo
public void setAuthenticationInfo(AuthenticationInfo authInfo)
Specifies the authentication info that resulted from processing this bind operation. This method must only be called by SASL mechanism handlers during the course of processing theprocessSASLBindmethod.- Parameters:
authInfo- The authentication info that resulted from processing this bind operation.
-
getOperationType
public OperationType getOperationType()
Description copied from interface:PluginOperationRetrieves the operation type for this operation.- Specified by:
getOperationTypein interfacePluginOperation- Returns:
- The operation type for this operation.
-
getResponseControls
public List<Control> getResponseControls()
Description copied from interface:PluginOperationRetrieves the set of controls to include in the response to the client. The contents of this list must not be altered.- Specified by:
getResponseControlsin interfacePluginOperation- Returns:
- The set of controls to include in the response to the client.
-
addResponseControl
public void addResponseControl(Control control)
Description copied from class:OperationAdds the provided control to the set of controls to include in the response to the client.This method may not be called by post-response plugins.
- Specified by:
addResponseControlin interfacePostOperationOperation- Specified by:
addResponseControlin interfacePreOperationOperation- Specified by:
addResponseControlin interfacePreParseOperation- Specified by:
addResponseControlin classOperation- Parameters:
control- The control to add to the set of controls to include in the response to the client.
-
removeResponseControl
public void removeResponseControl(Control control)
Description copied from class:OperationRemoves the provided control from the set of controls to include in the response to the client.This method may not be called by post-response plugins.
- Specified by:
removeResponseControlin interfacePostOperationOperation- Specified by:
removeResponseControlin interfacePreOperationOperation- Specified by:
removeResponseControlin interfacePreParseOperation- Specified by:
removeResponseControlin classOperation- Parameters:
control- The control to remove from the set of controls to include in the response to the client.
-
toString
public void toString(StringBuilder buffer)
Description copied from interface:PluginOperationAppends a string representation of this operation to the provided buffer.- Specified by:
toStringin interfacePluginOperation- Specified by:
toStringin classOperation- Parameters:
buffer- The buffer into which a string representation of this operation should be appended.
-
run
public void run()
Description copied from class:OperationPerforms the work of actually processing this operation. This should include all processing for the operation, including invoking pre-parse and post-response plugins, logging messages and any other work that might need to be done in the course of processing.
-
getSaslServer
public SaslServer getSaslServer()
Returns theSaslServerto use by the underlying connection, ornullif SASL integrity and/or privacy protection must not be enabled.- Returns:
- The
SaslServerto use by the underlying connection, ornullif SASL integrity and/or privacy protection must not enabled.
-
setSaslServer
public void setSaslServer(SaslServer saslServer)
Sets the SASL server.- Parameters:
saslServer- the SASL server to set
-
runFakePasswordMatches
public static void runFakePasswordMatches(Dn bindDn, ByteString password) throws LdapException
When using cost based hashes, ensure similar response times when login with non-existing vs. existing users, this also applies to other failure conditions.- Parameters:
bindDn- the bind DNpassword- the bind password- Throws:
LdapException- If a problem occurs while attempting to encode the password.
-
-